You are here

Securing the Cloud

The future of the Internet could look like this: The bulk of the world’s computing is outsourced to “the cloud”―to massive data centers that house tens or even hundreds of thousands of computers. Rather than doing most of the heavy lifting themselves, our PCs, laptops, tablets and smart phones act like terminals, remotely accessing data centers through the Internet while conserving their processing juice for tasks like rendering HD video and generating concert-quality sound.

What needs to be figured out for this cloud-based future to emerge are three big things. One is how the computers within these data centers should talk to each other. Another is how the data centers should talk to each other within a super-secure cloud core. The third is how the cloud should talk to everyone else, including the big Internet service providers, the local ISPs and the end-of-the-line users (i.e. us).

This last channel, in particular, interests Michael Walfish, an assistant professor of computer science and one of the principal investigators of the NEBULA Project, which was awarded $7.5 million by the National Science Foundation to develop an architecture for making the Internet more cloud-friendly. If we’re going to be trusting so much of our computing lives to the cloud, he believes, we need to develop a more secure model for how information travels.

“A sender should be able to determine the path that information packets should take,” says Walfish. “A receiver should not have to accept traffic that she does not want. An intermediate provider should be able to know where the packet’s been and should be able to exercise its policies about the downstream provider that’s going to handle the flow next.”

Walfish’s system for providing such capacities, which he’s developing with colleagues at Stanford, the Stevens Institute of Technology, and University of California-Berkeley, is called ICING. It’s a set of protocols that allow every packet of information not only to plot out a path from beginning to end, choosing every provider along the way, but also to establish a chain of provenance as it goes that proves, to both the intermediaries and the final recipients, that it came from where it said it was coming from.

“These fields contain enough cryptographic information to be able to communicate to every realm along the way, and back to the sender, where the packet’s been. So when a packet shows up, I know where it’s been. I know whether it obeys the policies of everyone along the path. That property does not exist today.”

The advantages of such knowledge, says Walfish, should be considerable. Senders, for instance, could contract with intermediate providers for a kind of expressway through the Internet. Recipients would have an easier time sorting their incoming traffic into different levels of priority depending on the routes the packets took.

Perhaps the greatest advantage of adopting a system like ICING, says Walfish, would come in the area of security. Targets of various kinds of Internet attacks, like denial-of-service attacks, would be able to sever traffic from their attackers faster and with much greater precision. Governments would be able to set up channels of communication that pass through only well-vetted and highly-trusted service providers. Internet security companies could, from anywhere in the world, inspect your traffic for viruses.

“Right now,” says Walfish, “there are ways to deal with attackers, but they’re crude, and they’re reactive. Once the traffic enters the victim’s network link, you’re hosed. All you can do is shut it all down. It would be like if you had a huge line of people coming into your office, not letting you get work done. You could kick them all out, but you still wouldn’t get any work done because you’d spend all your time kicking them out. What you really need is for them to not show up in the first place.”

ICING, says Walfish, would also prevent “IP hijacking,” a kind of attack in which a network provider redirects net traffic by falsely “advertising” to hold a given IP address or by claiming to offer a more direct route to that address. Such IP hijackings can be globally disruptive. In 2008, for instance, the Pakistani government sought to block videos containing the controversial Danish cartoons that depicted Mohammed. The result was a global shutdown of Youtube for more than an hour. Last year, it’s believed, China Telecom was able to capture 15% of the world’s Internet traffic, for 18 minutes, by falsely claiming to be the source of more than 30,000 IP addresses.

“There are multiple reasons why this wouldn’t happen in ICING,” says Walfish. “First, in ICING, the contents of the advertisement and the name of the advertised destination are tightly bound; lie about one, and the other looks invalid. Second, because packets must respect policy, a packet taking an aberrant path will be detected as such.”

ICING, and its parent project NEBULA, are one of four multi-institutional projects being funded by the National Science Foundation’s Future Internet Architecture (FIA) program. The point of the FIA program, and of the efforts of Walfish and his colleagues, is to step back from the day-to-day challenges of managing the flow of information on the ‘net, and think more fundamentally about what kind of architecture the Internet should have going forward.

“Where ICING was born, I think,” says Walfish, “was in the realization my teammates and I had that while there was a consensus about what kinds of things needed to change, and there were a lot of proposals to make those changes, all the proposals seemed to be mutually exclusive. They all required the same space in packets. It would be like if your bike was out-of-date and someone said, oh, you can get this really cool feature if you just replace your front wheel with this wheel, and then someone else came along said, oh, you can get this other really cool feature, but you have to replace your front wheel with this wheel. Well, you can only have one front wheel. So what we set out to do was to design a much more general-purpose mechanism where you could get all these properties without their conflicting with each other, and that’s what I think we’ve done.”